Why Should I Upgrade to Windows 10?

In the past, justifying a move to a new operating system from a financial perspective would be a difficult case to make. Especially if your primary focus is to maintain user productivity. Inevitably your OS migration journey introduces digital disruption which causes major interruptions for your users which can lead to a prolonged migration over many long months, even years in many cases. However, in this age of modern desktop management, Windows 10 is a compelling choice. Windows 10 marks the most significant release of Windows for decades, besides introducing innovative security options critical to cyber security, it delivers a new user experience, a common platform across devices and a new delivery and servicing model and much more.

Written by

Vishal Ladwa

Principal Consultant

on

01 Apr 2018

Many companies are already in the process of planning phases to get ready for Windows 10, if not, working out the cost-benefit analysis to quantify the perceived benefits Windows 10 can bring to an organisation.To get a better view on the intangible benefits of moving to Windows 10, take a look at the Forrester Total Economic Impact (TEI) report commissioned by Microsoft. It provides analysis of real world migrations to Windows 10 and breaks down the simple cost savings and productivity improvements from embracing the Windows 10 security features as well as highlighting improvements in deployment, on-going management and maintenance in particular with Systems Center Configuration Manager (ConfigMgr) and Windows 10 servicing model.These days’ security breaches are frequently making headline news which increases financial risks due to the impact of lost productivity and growth, cost of data breach and corporate liability. Therefore, the security features available in Windows 10 provide some of the biggest benefits and one of the most compelling reasons for organisations to adopt Windows 10 sooner. Windows 10 is the most secure Windows ever. So what are some of these security benefits that every enterprise needs today?

Windows Hello

To mitigate credential theft threats Windows Hello allows employees to securely authenticate using biometrics in the form of fingerprint of facial recognition. The biometric authentication is only stored locally on the device and is never shared to external devices or servers. Therefore, an attacker must have both the device and biometric info to gain access.

SmartScreen

The web browser is one of the first entry points to your systems which continues to be a favourite target for attackers which is why it needs protecting. When you connect to the internet using Microsoft Edge browser it will prevent you from going to well know malicious websites. This blocks around 97% of the threats that are out there which is great but there are still going to be vulnerabilities and exploits.

Secure Boot

Prevents malware known as “bootkit” from loading during the boot loading process which is particularly tricky to detect because it is loaded before Windows starts and modifies behaviour to obscure itself when Windows does start. Switching to UEFI goes some way to prevent this however malware is always developing to compromise UEFI loaders. Secure boot which is enabled in the UEFI firmware will only load boot files from a trusted source which is hardcoded in the UEFI firmware and can only be modified by the hardware manufacturer. Ultimately with Secure Boot any compromised or unauthorised boot files will not be loaded and therefore the OS will not boot preventing a wider breach.

Device Guard

Provides improved security against malware and zero-day exploits by blocking anything other than trusted apps. It uses a combination of hardware technology and virtualisation-based security to only allow trusted code to execute as the OS kernel, device drivers, services and finally user applications are loaded. The traditional approach with anti-virus software is to trust anything unless it is known to be malicious and the virus definitions need to be updated frequently to protect against new threats. Device Guard starts with the trust nothing approach preventing any code from executing unless it has been specifically white listed to be signed and trusted from the core kernel to application layer. To ensure legitimate code is executed, most recognised enterprise vendors sign their code and you can deploy Device Guard policies typically managed via ConfigMgr to define signatures that are trusted in your environment. Unlike traditional anti-malware technology, Device Guard isolates the signature from the OS through virtualisation preventing any malware or elevated users from tampering with the signature.

Credential Guard

These days malware is designed to be installed silently and undetected to the unsuspecting user, that has been tricked to clicking a link or email attachment which otherwise appears to be trustworthy. These kind of security breaches (known as Phishing) often result in confidential data being leaked into the wrong hands.The attacker can then use a technique known as pass-the-hash to use hashed credentials to spread malware to other systems. This way they can get elevated privileges to ultimately gain access to the secured resources in order to exfiltrate out. To mitigate these kind of threats, Credential Guard uses virtualisation-based security to isolate and protect the hashed credentials that were previously stored in memory, preventing them from being accessed from anything other than the Windows Local Security Authority (LSA).

Device Health Attestation (DHA)

We also need to validate the integrity of the workstation. You can’t trust a workstation that has been infected because the malware is going to report that everything is healthy so we need the ability for a remote resource to validate a workstations health. DHA is a cloud service that checks to see if for example Secure Boot is enabled, Antivirus is turned on to determine if it gets access to corporate resources like email or VPN and keeping them off your network if they turn out to be unhealthy.

Advanced Threat Protection (ATP)

Similar to an airline flight recorder, every action that happens on a workstation and every relationship between them are completely mapped out so you can see in real-time in detail what is happening on that workstation. That data is sent up to the cloud which consumes the data in your tenant and then machine learning will use all sorts of heuristics to detect malicious anomalous behaviour.This machine learning is constantly being improved on every day with new indicators of compromises that get baked into the engine.

The Microsoft Security team analyse adversary groups to track their behaviour and tactics to build indicator models which trigger alerts if your organisation have experienced very sophisticated, targeted breach probably using a zero-day vulnerability assuming your patching your environment regularly.

Windows Information Protection (WIP)

Leaking data accidentally or intentionally is becoming common in the work place which results in severe costs and penalties. In the mobile-first, cloud-first world this problem is only getting more complex as data no longer resides within your perimeter. WIP is one of the key new security features on Windows 10 Mobile and Windows 10 Anniversary Update. It really enables you to protect your corporate documents by encrypting them when they are coming from inside your enterprise environment like SharePoint, Exchange, websites or shares. This allows the user to share this information (accidentally or intentionally) with people outside of your organisation and prevent or allow them to share that information.